It looks like a scam mail. Has anyone else had this. There was no attachment or payload.
https://blog.lastpass.com/2022/08/notice-of-recent-security-incident/
Hello@"philrodo"@mrg9999
I appreciate your concerns. This email was sent from LastPass as a precautionary notification.
Just to clarify a couple of things, we immediately deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm. We have no evidence that this involved any access to customer data or encrypted password vaults. Please click here https://blog.lastpass.com/2022/08/notice-of-recent-security-incident/for more information.
I had something similar today, too. I didn’t pay close attention, but as I recall they didn’t think that the user accounts were not compromised and that they are investigating the break-in and will inform us, later.
Lastpass,
I have questions about client security. Given the type of breach that has been described, it would be possible for someone to add malicious commits that would run locally in the client. Such an attack could access the unencrypted passwords for a user, and send them to a third party.
I would like to see a communication that answers these questions:
- How do you know this has not happened?
- What pre-publish safeguards are in place to ensure a client build does not send data to unauthorized 3rd parties?
- What safeguards are in place to ensure a published client does not send data to an unauthorized 3rd party, even in the event of malicious code commits, and publish of a bad software version?
I just received a message from LastPass communicating that their development system had been hacked.
The report states at least three times "we have no evidence that..." with regard to end user exposure. This is very different from "we have evidence that no..." user exposure has taken place. Not very reassuring. Is it time to drop LastPass?
I use both Authy and LastPass. How concerned should I be? I read a couple articles mentioning some security related incidents. However, I don't understand everything that was in the article. Which leaves me wondering if the intruders didn't get very far and I'm OK or if they got in pretty good and I should be worried about my accounts.
I think your right to be concerned. LP took a while to report this and then only after pressure.
If you have a really good master password then you will have nothing to be worried about. (for now 🙂 )
However LP is closed source and so we don't know how good the code is. If it has weaknesses then they will be exposed now that hackers gained access to a developer account.
I have been a LP user for years so i will stick with them. If I was a new user then I would go bitwarden.
Recently recieved an email from LastPass stating that there had been a security incident, and that their development environment had been breached.
They hastened to assure (me and others) that customer data had not been compromised.
My concern is that even if customer data was not directly accessed, was the source code for LastPass accessed, or a significant portion of it? What concerns me is that if the code was copied, is it possible that people could 'reverse-engineer' the code and come up with a way to gain access to customer data at a later time? Sort of like stealing the impression of a master key, so they can have a key made later to get in, y'know?
It would be nice to know that whatever was accessed, such a thing would not be possible based on what *was* accessed.
Team,
What are the details of the LastPass hack which was announced last week?
Are there steps that we all need to take in order to secure our details going forward - various reports have said that customer data was stolen - NOT just source code.
Will LastPass be providing insurance and remediation services for customers who have thousands of their usernames/password/SS #, etc in this system?
Will all premium users be provided refunds for this breach?
Hi,@bmccune
While we continue to investigate, all information can be found on the LastPass Blog Post.
There was no indication that any customer data was accessed, and your passwords always remain encrypted locally so that not even we know what they are.
somebody has stolen all my passwords (new ones and very old ones). i used always lastpass. the hacker did send me a list of my passwords and email direccions of my friends. he like to have 1500 us dollars for not to public my pics. somebody try to get in my outlook account every hour. i had a contact in twitter and he was sending tweets every 3 minutes and about 569 tweets every day. im not sure but this contact was very new. i did change my router, did change all passwords. maybe somebody is selling my data in darknet or something. strange is that passwords he did sent to me are very old ones but some are new.
